Spam URLs redirecting to home page after website hacked

  • Our website was hacked, and as a result there are hundreds of spam URLs listed in google.
    We cleaned everything up, we thought. However, although the spam pages no longer exist, they redirect to the real site’s home page.
    As a result as far as I can see, it will be difficult to get google to delist them as they appear to go to a real page (i.e our home page) and having so many redirects to the home page will surely harm our ability to rank on google.
    The 404 pages for ‘real’ incorrect URLs does work – so there must be something, somewhere that is causing the redirect to happen.
    * I have replaced all the core files except content
    * I have replaced the theme files
    * I have zipped up and deactivated all plug-ins
    * I have deleted all transients from wp-options

    Does anyone have any idea how to track down how these redirects are happening please?

Viewing 4 replies - 1 through 4 (of 4 total)

  • Did you have any plugins installed which handle redirects, such as Yoast SEO plugin? If so, check the settings of those, even though you deactivated them.

    The hackers could have just added redirects to the plugin/WP settings. Since those are stored in the WP database replacing files doesn’t change anything.

    I’m no expert on this, but redirects are handled on the server. It’s possible that the hackers actually attacked the whole server, not just your WordPress, and added redirects there. I suggest you contact who ever is in charge of the server.

    I think the problem may be with your .htaccess file, try to check it!

    Thread Starter greenweeds

    (@greenweeds)

    Hi there, thanks for both these responses. What I’ve discovered so far:

    • the hackers seem to have taken advantage of what I think is a bit of an oddity, if you add one of the url’s to ANY wordpress site it takes you to the home page. But obviously whilst the site was hacked, you would go to the spam page which is still listed in google … – an example is /c=autopzionebinarie&7cc=38 on the end of the home page URL.
    • What this means is that I can’t ask google to delist the pages that are hacked – any of them – because it won’t let you delist a page that exists. And as the spam after cleaning takes you to the home page, I can’t get rid of them quickly from google. I can only hope they age out – IF it’s not still redirecting!
    • Me, the Wordfence people and the hosting people have checked the .htaccess and it checks out fine. But you’re right it could have been a problem there…
    • I do have Yoast SEO installed. I might try cleaning it out of the database as well as removing the plugin
    • I’ll double check with the hosters now just in case

    It looks a bit to me as though the hackers have spotted this oddity in WordPress and exploited it…. Grrrrrrr…. If I find the answer (or if anyone else does) I will post….
    (In case I confuse anyone it’s not my own website that was hacked but a client’s)

    Thread Starter greenweeds

    (@greenweeds)

    OK the only way I can find to stop this until google ages it out – since ANY unrecognised/unfulfilled parameter will take you to the home page – is this:

    1. Added this to .htaccess to remove the pages with the particular query string. Clunky but works

    RewriteCond %{REQUEST_FILENAME} !^(.*)\.(css|js)$
    RewriteCond %{QUERY_STRING} c=([a-z]+)
    RewriteRule ^(.*)$ – [R=404,L]

    2. Gone to google, looked in URL parameters, found parameter ‘c’ and told google not to crawl it in future

    3. Manually submitted the 131 bad URLs remaining in google for removal.

    Just have to wait for google to catch up and pray that there’s not some essential function that uses c as a query parameter….
    Hope this helps someone.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Spam URLs redirecting to home page after website hacked’ is closed to new replies.